Decide what 2FA options MyUSA should offer users and integrators

[esgoodman]

Two-factor authentication is implemented and functional. However, we have a number of UX questions about where and how it shows up.

• 2FA authentication prompts appear inconsistently in the existing flow.
• The requirement (or lack thereof) is a concern for some integrators at security-conscious organizations
• 2FA is a UX challenge for speedy and lightweight sign-in, as demonstrated by related issues: #408, #478, #574, #581

The options up for discussion are:

1. Require 2FA of all users of MyUSA, all the time. As a consequence, a 2FA chooser goes into the first-time sign-up and returning user flows. We keep and revise the existing 2FA elements in the account management site.
2. Strongly recommend mandatory 2FA for some but not all applications. As a consequence, we add a 2FA requirement checkbox to the application creation panel. That in turn adds a 2FA chooser into the first-time sign-up and the returning user flows only for websites that enable mandatory 2FA.
3. Make 2FA a user-selected, non-mandatory setting. This is the current status quo. When 2FA is enabled, a 2FA chooser pops up during first-time sign-up and returning user flows only for users who have enabled it in the account management site.
4. Remove access to the 2FA functionality entirely.

Assumptions: most 18F-ers and other federal employees using MyUSA more than once a month will go through Google OAuth or through secure gov’t email. Based on pretty reliable data, we think that non-federal employees who make a MyUSA account will use the account once or twice a year.

[esgoodman]

We asked the cybersecurity channel for their thoughts. The results: NO on (1) and (4), YES PLEASE to (2) and (3). (2) and (3) are compatible, with (2) layering features onto (3).

@dhcole added some nuance:

+1: 2factor is super important and app devs might want to leverage it, -1: yes, but myusa is just delegating authorization to another service (google oauth or email + link verification) and 2-factor should happen there

[esgoodman]

@adelevie and @yozlet, how hard would it be to make 2FA mandatory for some integrations but not others?

[jackiekazil]

:+1:

[mkhandekar]

Looking at Google's 2-step verification guide as inspiration as we start to do ours.

Have you seen any other examples for 2FA verification that does a nice job of educating visitors step by step? cc: @yozlet @adelevie @esgoodman @juliaelman @jackiekazil @harrisj

[esgoodman]

I feel like Google's flow may be more elaborate than we need. There's a mural.ly doc where I've been collecting examples: https://mural.ly/t/gsa6/m/gsa6/1426803022441.

[esgoodman]

Closing because we've decided this and are now implementing the decision.